Quickstart

From fresh laptop to signed audit report in under five minutes. Tested on macOS 14+, Ubuntu 22.04+, RHEL 9+, and WSL2.

1. Install

# macOS / Linux / WSL2
curl -fsSL https://get.obexum.com | sh

# or download the binary directly:
curl -L -o obexum https://get.obexum.com/v0.9/obexum-$(uname -s)-$(uname -m)
chmod +x obexum
sudo mv obexum /usr/local/bin/

Verify the install:

obexum --version
# obexum 0.9.0 (build 2026-04-27)

2. Bootstrap your local environment

obexum init

This creates:

~/.obexum/config.yaml — defaults you can edit later
~/.obexum/keys/ — folder for SSH keypairs
~/.obexum/scans/ — engagement directory root
~/.obexum/obexum.db — local SQLite for history + diff

If you do not yet have an SSH key for Obexum to use, generate one:

ssh-keygen -t ed25519 -f ~/.obexum/keys/obexum_ed25519 -N ""
ssh-copy-id -i ~/.obexum/keys/obexum_ed25519.pub Administrator@10.0.0.5

Security note. The Obexum SSH key is your audit identity. Never reuse the same key for a service account or check-in automation. Keep ~/.obexum/keys/ in chmod 700.

3. Register your first target

obexum targets add prod-dc-01 \
    --type windows-dc \
    --host 10.0.0.5 \
    --user Administrator

List what you have:

obexum targets list

# NAME        TYPE        HOST           USER           ADDED
# prod-dc-01  windows-dc  10.0.0.5       Administrator  2026-04-27T18:14:39Z

4. Run your first scan

obexum scan run prod-dc-01

You will see real-time check progress. A typical first-time scan against a Server 2022 DC takes ~3 minutes.

5. Read the report

# open the HTML report in your browser
firefox ~/.obexum/scans/$(ls -t ~/.obexum/scans/ | head -1)/findings.html

# or list findings on the CLI
obexum findings list

# or drill into one
obexum findings show AUD-WIN-ADCS-001

6. Render a remediation playbook

obexum playbook list --platform windows-dc

obexum playbook render pb-windows-dc-adcs-001 \
    --target prod-dc-01 \
    --item OBX_ESC1_AltSAN \
    -o fix-ADCS-001.ps1

Read before you run. The script is dry-run output for a change-management reviewer. Obexum does not execute it. The header lists every advisory and the rollback section is at the bottom.

7. After remediation, validate

# Run the change in your maintenance window, then:
obexum scan run prod-dc-01 --only AUD-WIN-ADCS-001

# Or diff the full scan against your previous baseline
obexum diff <previous-scan-id> <new-scan-id>

Quickstart

1. Install

2. Bootstrap your local environment

3. Register your first target

4. Run your first scan

5. Read the report

6. Render a remediation playbook

7. After remediation, validate

Next steps